Perimeter Defense - Email Security > [T3]: Malicious URLs: phishing example
Let's look at the following phishing example:
Figure - zoom in
This is an actual typical phishing email that tries to steal users'
credentials. Attackers craft a
phishing email content to look as legit as possible so that they
can deceive users. As we can see in the mail body, it asks users
to verify their email address by clicking on
the VERIFY
EMAIL button. If we hover over the
button, we can see the link's true destination, the phishing
site where users will submit their credentials.
One of the valuable online
services to analyze malicious Attachments/URLs/Emails quickly
is ANY.RUN. It offers the ability to interact
with suspected artifacts in a safe environment.
Figure - zoom in
To analyze something, you need to
select 'New
task'
from the left pane, select if it's a URL or a file, and finally
select the operating system you would like to execute the file
or visit the URL on.
Figure - zoom in
Here is the link for the
example phishing email we mentioned above.
Figure - zoom in
Any.Run provides a wealth of important information
such as:
- A verdict: whether the submitted file is malicious, suspicious, or clean.
- Ability to download the sample.
- Summary of indicators of compromises -IOCs (e.g., contacted domains, IPs, and URLs).
- Running processes.
For SOC analysts, seeing how the attack looked like when it was first detected is very important because it adds a lot to the context. Fortunately, Any.Run keeps multiple snapshots of the attack in its original format, which can be viewed by moving the mouse right and left. As we can see, this was the phishing site:
The view
we saw above is for the history of the last analysis attempt for
that sample file. SOC analysts can click the
'restart' button at any time to reanalyze
the file and interact with it in a live environment, as in the
following figure:
Figure - zoom in
You can also search ANYRUN's public database for more samples with specific criteria, which is very helpful for practicing with real samples seen in the wild.
Figure - zoom in
Bottom line, malicious URLs can come in different formats, such as phishing and downloadable malware samples. That makes it hard for defenders to block malicious URLs. But fortunately, some security controls are very effective at neutralizing malicious URL threats. Let's see available defenses in the next section.